Unchecked Buffer in Opera 7.02

2003-04-08T00:00:00
ID SECURITYVULNS:DOC:4358
Type securityvulns
Reporter Securityvulns
Modified 2003-04-08T00:00:00

Description

Tested version : Opera 7.02 Build 2668

Vendor Status : Vendor was contacted on 8-4-2003

Description :

Opera web browser has an unchecked buffer in his code that allow a malicious website to crash it and in certain circumstances , execute code with user priviliges .

To reproduce the bug open this link

http://usuarios.lycos.es/idoru/aaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.zip

Opera crashes with an access violation . Instruction pointer EIP is overwritten by the file name converted to unicode . That makes only possible to reference certain addresses in memory to execute . To place your code to execute in a valid address you have to assign it to an enviroment variable .That place your code in an address that can be referenced by EIP ( ~00010040 )

--

Regards ,

David F. Madrid Madrid , Spain